CVE-2025-67038 is a CVSS 9.8 unauthenticated OS command injection in the Lantronix EDS5000 serial device server, now confirmed as actively exploited and listed in the CISA KEV catalog with a remediation deadline of 2026-06-26. Attackers can inject arbitrary shell commands through the username parameter and execute them with root privileges, giving full device control without credentials. EDS5000 units are commonly deployed as serial-to-Ethernet bridges in OT and ICS environments, placing industrial process equipment directly in the blast radius.